Skip to content

Commit

Permalink
fix(wasm/config): correctly map inherited directives
Browse files Browse the repository at this point in the history 
The Kong Wasm integration inherits certain configuration properties
defined for Kong; among others, it inherits injected Nginx directives.
As implemented in #11218, the
integration inherited certain directives from the `ngx_http_proxy_module`,
while  the desired behavior is to inherit from the `ngx_lua_module`, so
that Lua and Wasm extensions operate under the same settings. This commit
implements that change.
  • Loading branch information
@gszr
gszr committed Jul 19, 2023
1 parent 6db62fc commit a55079f
Show file tree
Hide file tree
Showing 2 changed files with 128 additions and 97 deletions.
126 changes: 49 additions & 77 deletions kong/conf_loader/init.lua
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1856,6 +1856,55 @@ local function load(path, custom_conf, opts)
end
end

-- Wasm module support
if conf.wasm then
local wasm_filters = get_wasm_filters(conf.wasm_filters_path)
conf.wasm_modules_parsed = setmetatable(wasm_filters, _nop_tostring_mt)

local function add_wasm_directive(directive, value, prefix)
local directive_name = (prefix or "") .. directive
if conf[directive_name] == nil then
conf[directive_name] = value
end
end

local wasm_main_prefix = "nginx_wasm_"

-- proxy_wasm_lua_resolver is intended to be 'on' by default, but we can't
-- set it as such in kong_defaults, because it can only be used if wasm is
-- _also_ enabled. We inject it here if the user has not opted to set it
-- themselves.
add_wasm_directive("nginx_http_proxy_wasm_lua_resolver", "on")

-- wasm vm properties are inherited from previously set directives
if conf.lua_ssl_trusted_certificate and #conf.lua_ssl_trusted_certificate >= 1 then
add_wasm_directive("tls_trusted_certificate", conf.lua_ssl_trusted_certificate[1], wasm_main_prefix)
end

if conf.lua_ssl_verify_depth and conf.lua_ssl_verify_depth > 0 then
add_wasm_directive("tls_verify_cert", "on", wasm_main_prefix)
add_wasm_directive("tls_verify_host", "on", wasm_main_prefix)
add_wasm_directive("tls_no_verify_warn", "on", wasm_main_prefix)
end

local wasm_inherited_injections = {
nginx_http_lua_socket_connect_timeout = "nginx_http_wasm_socket_connect_timeout",
nginx_proxy_lua_socket_connect_timeout = "nginx_proxy_wasm_socket_connect_timeout",
nginx_http_lua_socket_read_timeout = "nginx_http_wasm_socket_read_timeout",
nginx_proxy_lua_socket_read_timeout = "nginx_proxy_wasm_socket_read_timeout",
nginx_http_lua_socket_send_timeout = "nginx_http_wasm_socket_send_timeout",
nginx_proxy_lua_socket_send_timeout = "nginx_proxy_wasm_socket_send_timeout",
nginx_http_lua_socket_buffer_size = "nginx_http_wasm_socket_buffer_size",
nginx_proxy_lua_socket_buffer_size = "nginx_proxy_wasm_socket_buffer_size",
}

for directive, wasm_directive in pairs(wasm_inherited_injections) do
if conf[directive] then
add_wasm_directive(wasm_directive, conf[directive])
end
end
end

do
local injected_in_namespace = {}

Expand Down Expand Up @@ -1967,83 +2016,6 @@ local function load(path, custom_conf, opts)
end
end

-- WebAssembly module support
if conf.wasm then

local wasm_directives = conf["nginx_wasm_main_directives"]

local wasm_filters = get_wasm_filters(conf.wasm_filters_path)
conf.wasm_modules_parsed = setmetatable(wasm_filters, _nop_tostring_mt)

-- wasm vm properties are inherited from previously set directives
if conf.lua_ssl_trusted_certificate then
if #conf.lua_ssl_trusted_certificate >= 1 then
insert(wasm_directives, {
name = "tls_trusted_certificate",
value = conf.lua_ssl_trusted_certificate[1],
})
end
end
if conf.lua_ssl_verify_depth and conf.lua_ssl_verify_depth > 0 then
insert(wasm_directives, {
name = "tls_verify_cert",
value = "on",
})
insert(wasm_directives, {
name = "tls_verify_host",
value = "on",
})
insert(wasm_directives, {
name = "tls_no_verify_warn",
value = "on",
})
end

local found_proxy_wasm_lua_resolver = false

for _, directive in ipairs(conf["nginx_http_directives"]) do
if directive.name == "proxy_connect_timeout" then
insert(wasm_directives, {
name = "socket_connect_timeout",
value = directive.value,
})
elseif directive.name == "proxy_read_timeout" then
insert(wasm_directives, {
name = "socket_read_timeout",
value = directive.value,
})
elseif directive.name == "proxy_send_timeout" then
insert(wasm_directives, {
name = "socket_send_timeout",
value = directive.value,
})
elseif directive.name == "proxy_buffer_size" then
insert(wasm_directives, {
name = "socket_buffer_size",
value = directive.value,
})
elseif directive.name == "large_client_header_buffers" then
insert(wasm_directives, {
name = "socket_large_buffers",
value = directive.value,
})
elseif directive.name == "proxy_wasm_lua_resolver" then
found_proxy_wasm_lua_resolver = true
end
end

-- proxy_wasm_lua_resolver is intended to be 'on' by default, but we can't
-- set it as such in kong_defaults, because it can only be used if wasm is
-- _also_ enabled. We inject it here if the user has not opted to set it
-- themselves.
if not found_proxy_wasm_lua_resolver then
insert(conf["nginx_http_directives"], {
name = "proxy_wasm_lua_resolver",
value = "on",
})
end
end

for _, dyn_namespace in ipairs(DYNAMIC_KEY_NAMESPACES) do
if dyn_namespace.injected_conf_name then
sort(conf[dyn_namespace.injected_conf_name], function(a, b)
Expand Down
99 changes: 79 additions & 20 deletions spec/01-unit/04-prefix_handler_spec.lua
View file
Original file line number Diff line number Diff line change
Expand Up @@ -841,6 +841,7 @@ describe("NGINX conf compiler", function()
return ngx_conf
end
local ngx_cfg = function(cfg, debug) return _compile(cfg, prefix_handler.compile_nginx_conf, debug) end
local kong_ngx_cfg = function(cfg, debug) return _compile(cfg, prefix_handler.compile_kong_conf, debug) end

local debug = false
it("has no wasm{} block by default", function()
Expand All @@ -864,6 +865,27 @@ describe("NGINX conf compiler", function()
ngx_cfg({ wasm = true, nginx_wasm_shm_cache="10m", nginx_wasm_shm_counters="10m"}, debug)
)
end)
it("injects default configurations if wasm=on", function()
assert.matches(
".+proxy_wasm_lua_resolver on;.+",
kong_ngx_cfg({ wasm = true, }, debug)
)
end)
it("does not inject default configurations if wasm=off", function()
assert.not_matches(
".+proxy_wasm_lua_resolver on;.+",
kong_ngx_cfg({ wasm = false, }, debug)
)
end)
it("permits overriding proxy_wasm_lua_resolver", function()
assert.matches(
".+proxy_wasm_lua_resolver off;.+",
kong_ngx_cfg({ wasm = true,
-- or should this be `false`? IDK
nginx_http_proxy_wasm_lua_resolver = "off",
}, debug)
)
end)
it("injects runtime-specific directives (wasmtime)", function()
assert.matches(
"wasm {.+wasmtime {.+flag flag1 on;.+flag flag2 1m;.+}.+",
Expand Down Expand Up @@ -895,6 +917,16 @@ describe("NGINX conf compiler", function()
)
end)
describe("injects inherited directives", function()
it("only if one isn't explicitly set", function()
assert.matches(
".+wasm_socket_connect_timeout 2s;.+",
kong_ngx_cfg({
wasm = true,
nginx_http_wasm_socket_connect_timeout = "2s",
nginx_http_lua_socket_connect_timeout = "1s",
}, debug)
)
end)
describe("lua_ssl_trusted_certificate", function()
it("with one cert", function()
assert.matches(
Expand Down Expand Up @@ -938,48 +970,75 @@ describe("NGINX conf compiler", function()
}, debug)
)
end)
it("proxy_connect_timeout", function()
it("lua_socket_connect_timeout (http)", function()
assert.matches(
"wasm {.+socket_connect_timeout 1s;.+}",
ngx_cfg({
".+wasm_socket_connect_timeout 1s;.+",
kong_ngx_cfg({
wasm = true,
nginx_http_proxy_connect_timeout = "1s",
nginx_http_lua_socket_connect_timeout = "1s",
}, debug)
)
end)
it("proxy_read_timeout", function()
it("lua_socket_connect_timeout (proxy)", function()
assert.matches(
"wasm {.+socket_read_timeout 1s;.+}",
ngx_cfg({
"server {.+wasm_socket_connect_timeout 1s;.+}",
kong_ngx_cfg({
wasm = true,
nginx_http_proxy_read_timeout = "1s",
nginx_proxy_lua_socket_connect_timeout = "1s",
}, debug)
)
end)
it("proxy_send_timeout", function()
it("lua_socket_read_timeout (http)", function()
assert.matches(
"wasm {.+socket_send_timeout 1s;.+}",
ngx_cfg({
".+wasm_socket_read_timeout 1s;.+",
kong_ngx_cfg({
wasm = true,
nginx_http_proxy_send_timeout = "1s",
nginx_http_lua_socket_read_timeout = "1s",
}, debug)
)
end)
it("proxy_buffer_size", function()
it("lua_socket_read_timeout (proxy)", function()
assert.matches(
"wasm {.+socket_buffer_size 1m;.+}",
ngx_cfg({
"server {.+wasm_socket_read_timeout 1s;.+}",
kong_ngx_cfg({
wasm = true,
nginx_http_proxy_buffer_size = "1m",
nginx_proxy_lua_socket_read_timeout = "1s",
}, debug)
)
end)
it("large_client_header_buffers", function()
it("proxy_send_timeout (http)", function()
assert.matches(
"wasm {.+socket_large_buffers 4 24k;.+}",
ngx_cfg({
".+wasm_socket_send_timeout 1s;.+",
kong_ngx_cfg({
wasm = true,
nginx_http_lua_socket_send_timeout = "1s",
}, debug)
)
end)
it("proxy_send_timeout (proxy)", function()
assert.matches(
"server {.+wasm_socket_send_timeout 1s;.+}",
kong_ngx_cfg({
wasm = true,
nginx_proxy_lua_socket_send_timeout = "1s",
}, debug)
)
end)
it("proxy_buffer_size (http)", function()
assert.matches(
".+wasm_socket_buffer_size 1m;.+",
kong_ngx_cfg({
wasm = true,
nginx_http_lua_socket_buffer_size = "1m",
}, debug)
)
end)
it("proxy_buffer_size (proxy)", function()
assert.matches(
"server {.+wasm_socket_buffer_size 1m;.+}",
kong_ngx_cfg({
wasm = true,
nginx_http_large_client_header_buffers = "4 24k",
nginx_proxy_lua_socket_buffer_size = "1m",
}, debug)
)
end)
Expand Down

0 comments on commit a55079f

Please sign in to comment.